Viewing Cluster State

Example

Member1> show cluster state
 
Cluster Mode:   High Availability (Active Up) with IGMP Membership
 
ID         Unique Address  Assigned Load   State          Name
 
1 (local)  11.22.33.245    100%            ACTIVE(!)      Member1
2          11.22.33.246    0%              DOWN           Member2
 
 
Active PNOTEs: COREXL
 
Last member state change event:
   Event Code:                 CLUS-116505
   State change:               INIT -> ACTIVE(!)
   Reason for state change:    All other machines are dead (timeout), FULLSYNC PNOTE
   Event time:                 Sun Sep  8 15:28:39 2019
v Cluster failover count:
   Failover counter:           0
   Time of counter reset:      Sun Sep  8 15:28:21 2019 (reboot)
 
Member1>

Description of the "cphaprob state" command output fields:

Table: Description of the output fields

Field

Description

Cluster Mode

Can be one of these:

ID

Unique Address

Usually, shows the IP addresses of the Sync interfaces.

In some cases, can show IP addresses of other cluster interfaces.

Assigned Load

State

  • In the ClusterXL High Availability mode, only one Cluster Member in a fully-functioning cluster must be ACTIVE, and the other Cluster Members must be in the STANDBY state.

  • In the ClusterXL Load Sharing modes (Unicast and Multicast), all Cluster Members in a fully-functioning cluster must be ACTIVE.

  • In 3rd-party clustering configuration, all Cluster Members in a fully-functioning cluster must be ACTIVE. This is because this command only reports the status of the Full Synchronization process.

See the summary table below.

Name

Shows the names of Cluster Members' objects as configured in SmartConsole.

Active PNOTEs

Shows the Critical Devices that report theirs states as "problem" (see Viewing Critical Devices).

Last member state change event

Shows information about the last time this Cluster Member changed its cluster state.

Event Code

Shows an event code.

For information, see sk125152.

State change

Shows the previous cluster state and the new cluster state of this Cluster Member.

Reason for state change

Shows the reason why this Cluster Member changed its cluster state.

Event time

Shows the date and the time when this Cluster Member changed its cluster state.

Last cluster failover event

Shows information about the last time a cluster failoverClosed Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. occurred.

Transition to new ACTIVE

Shows which Cluster Member became the new Active.

Reason

Shows the reason for the last cluster failover.

Event time

Shows the date and the time of the last cluster failover.

Cluster failover count

Shows information about the cluster failovers.

Failover counter

Shows the number of cluster failovers since the boot.

Notes:

  • This value survives reboot.

  • This counter is synchronized between Cluster Members.

Time of counter reset

Shows the date and the time of the last counter reset, and the reset initiator.

When you examine the state of the Cluster Member, consider whether it forwards packets, and whether it has a problem that prevents it from forwardingClosed Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". packets. Each state reflects the result of a test on critical devices. This table shows the possible cluster states, and whether or not they represent a problem.

Table: Description of the cluster states

Cluster
State

Description

Forwarding
packets?

Is this
state a
problem?

ACTIVE

Everything is OK.

Yes

No

ACTIVE(!)

ACTIVE(!F)

ACTIVE(!P)

ACTIVE(!FP)

A problem was detected, but the Cluster Member still forwards packets, because it is the only member in the cluster, or because there are no other ActiveClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. members in the cluster. In any other situation, the state of the member is Down.

Yes

Yes

DOWN

One of the Critical Devices reports its state as "problem" (see Viewing Critical Devices).

No

Yes

LOST

The peer Cluster Member lost connectivity to this local Cluster Member (for example, while the peer Cluster Member is rebooted).

No

Yes

READY

State Ready means that the Cluster Member recognizes itself as a part of the cluster and is literally readyClosed State of a Cluster Member during after initialization and before promotion to the next required state - Active / Standby / VRRP Master / VRRP Backup (depending on Cluster Mode). A Cluster Member in this state does not process any traffic passing through cluster. A member can be stuck in this state due to several reasons. to go into action, but, by design, something prevents it from taking action. Possible reasons that the Cluster Member is not yet Active include:

See sk42096 for a solution.

No

No

STANDBY

Applies only to a High Availability mode. Means that the Cluster Member waits for an Active Cluster Member to fail in order to start packet forwarding.

No

No

BACKUP

Applies only to a VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster in Virtual System Load Sharing mode with three or more Cluster Members configured.

State of a Virtual System on a third (and so on) VSX Cluster Member.

No

No

INIT

The Cluster Member is in the phase after the boot and until the Full SyncClosed Process of full synchronization of applicable kernel tables by a Cluster Member from the working Cluster Member(s) when it tries to join the existing cluster. This process is meant to fetch a ‎"snapshot" of the applicable kernel tables of already Active Cluster Member(s). Full Sync is performed during the initialization of Check Point software (during boot process, the first time the Cluster Member runs policy installation, during 'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, this Cluster Member remains in the Down state, because until it is fully synchronized with other Cluster Members, it cannot function as a Cluster Member. Meanwhile, the Delta Sync packets continue to arrive, and the Cluster Member that tries to join the existing cluster, stores them in the kernel memory until the Full Sync completes. The whole Full Sync process is performed by fwd daemons on TCP port 256 over the Sync network (if it fails over the Sync network, it tries the other cluster interfaces). The information is sent by fwd daemons in chunks, while making sure they confirm getting the information before sending the next chunk. Also see "Delta Sync". completes.

No

No